Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Target Corp

Staples in Northeast likely breached with 'more to come'

Elizabeth Weise
USATODAY
A Staples store in Miami.

SAN FRANCISCO — The office supply chain Staples is investigating a possible breach of credit card data, a company spokesman said Tuesday.

"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement," said Mark Cautela, Staples' senior public relations manager.

The possible breach was first reported by security researcher Brian Krebs.

Security experts believe the thieves are using a form of the same malicious software used in the Target, Home Depot and Dairy Queen attacks, among others. The malware, Backoff, made headlines this past summer.

"Quite frankly, there's more to come," said Kellman Meghu, who was attending the SecTor computer security conference in Toronto.

At the conference, "everyone is talking about" Backoff, he said. "The Point of Sale malware session was standing room only today."

The pattern of credit and debit card fraud suggests that Staples locations in Pennsylvania, New York City and New Jersey were compromised, Krebs reported.

It appears that credit and debit card information had been stolen from the Staples stores and was then used to make purchases at other outlets, often supermarkets or big-box stores.

The United States Computer Emergency Readiness Team, or US-CERT, issued an alert about the Backoff malware on July 31 of this year, at which time it estimated that more than 1,000 U.S. businesses were affected.

This is just another offset of the same program used in the Target, Home Depot, Dairy Queen and other attacks, said Meghu, who is head of security research at Check Point Software Technologies in Toronto.

The malware works by exploiting a flaw in POS machines' encryption process.

When the customer swipes a credit card, the information is encoded to protect it from prying eyes.

However when it goes into memory, it's in clear text.

"It's only in memory for a second, but this malware figured out how to scrape the memory right in that moment, so they get the credit card information," Meghu said.

The malicious software simply sits in the POS terminal, harvests the credit card information and then feeds it to the criminals via the Internet.

Staples' Cautela noted that "customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."

It is unclear when Staples became aware of the possible breach, but the problem appears to have been ongoing.

"It's as if retailers have an alarm system listening for firetruck sirens before taking action instead of doing so at the first signs of smoke. Retailers need to be able to detect cybercrime operations prior to credit card data leaving their network," said Tim Keanini, chief technology officer with Lancope, which provides network monitoring for companies.

Featured Weekly Ad